IPTables or any other firewall for server

Discussion in 'Technical' started by Emil M, Nov 14, 2009.

  1. Emil M

    Emil M New Member

    Sorry, not quite sure where to poste this. I have a server that's running:

    Webserver (http, https)
    Mailserver (pop3s, imaps smtp)
    FTP server (Explicit SFTP)
    Databaseserver (no remote access)
    SSH

    Could there be any tutorial in here that fits my needs? I've no experience with iptables so far and everytime i tried i mess something (I basically try to block all ports except those I've read these services use)
     
    Emil M, Nov 14, 2009
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    You could install some kind of wrapper scriot like shorewall or Bastille - they make it easy to configure iptables.
     
    falko, Nov 15, 2009
    #2
  3. id10t

    id10t Member

    I like using ufw - very simple syntax

    ufw allow 80

    or if your service has keywords associated wtih it

    ufw allow http
     
    id10t, Nov 17, 2009
    #3
  4. Emil M

    Emil M New Member

    Thanks. Works very well.. Can I limit port 22 / SSH to only some IPs?
     
    Emil M, Nov 18, 2009
    #4
  5. damir

    damir New Member

    This should work (change the IP):
    Code:
    sudo ufw allow proto tcp from 192.168.0.2 to any port 22
     
    damir, Nov 18, 2009
    #5
  6. btomasik

    btomasik New Member

    This would be an example of a simple firewall doing exactly as you asked. Further complex configurations such as with logging, NAT, rate limiting, QoS, etc.. are not difficult and operate very similarly. Just remember iptables used to be called ipchains because essentially an incoming packet goes down it's initial chain (INPUT or FORWARD) until either 1. explicitly accepted 2. explicitily DROP/REJECT 3. is passed off to another chain. And if it meets no specific action (or jump [ie -j ACCEPT]) then it follows the default policy specified by running "iptables -P {INPUT,OUTPUT,FOWARD} {ACCEPT,DROP,REJECT}"

    With that, consider the following:
    Code:
    #!/bin/bash

IPT=/sbin/iptables

# Accept all RELATED or ESTABLISHED tcp packets
$IPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow new http/https connections
$IPT -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

# Allow new smtp,pop3s,imaps
$IPT -A INPUT -p tcp -m multiport --dports 25,465,993 -j ACCEPT

# Allow new ftps connections
$IPT -A INPUT -p tcp -m multiport --dports 989,990 -j ACCEPT
$IPT -A INPUT -p udp -m multiport --dports 989,990 -j ACCEPT

# Allow new SSH connection from ENTIRE internet
#$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow new SSH conn from only <IP>
$IPT -A INPUT -p tcp -s <IP> --dport 22 -j ACCEPT


####
# The below code will ensure that no other incoming
# packets are accepted nor packets that could be
# destined for FORWARD'ing to other machines.
####
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
     
    btomasik, Dec 2, 2009
    #6

Share This Page